lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1112373912.28096.2.camel@localhost>
Date: Fri Apr  1 17:46:51 2005
From: druid at caughq.org (I)ruid)
Subject: CAU-2005-0001: Chat Service Users - "Oops! Wrong
	Window" Information Disclosure

                      ____      ____     __    __
                     /    \    /    \   |  |  |  |
        ----====####/  /\__\##/  /\  \##|  |##|  |####====----
                   |  |      |  |__|  | |  |  |  |
                   |  |  ___ |   __   | |  |  |  |
  ------======######\  \/  /#|  |##|  |#|  |##|  |######======------
                     \____/  |__|  |__|  \______/
                                                     
                    Computer Academic Underground
                        http://www.caughq.org
                          Security Advisory 

===============/========================================================
Advisory ID:    CAU-2005-0001
Release Date:   04/01/2005
Title:          Chat Service Users - "Oops! Wrong Window" Information
                Disclosure
Application/OS: Users of All Chat Services
Topic:          Risk of sensitive information disclosure
Vendor Status:  Multiple Vendor - N/A
Attributes:     Information Disclosure, Remote
Advisory URL:   http://www.caughq.org/advisories/CAU-2005-0001.txt
Author/Email:   I)ruid (druid@...ghq.org)
===============/========================================================

Overview
========

A potential information disclosure vulnerability exists with all users
of chat services.  When users do not adequately pay attention to which
window or application has focus on their workstation, they may 
inadvertently type sensitive information like passwords or personal
information into the chat service.


Impact
======

Sensitive information may be disclosed by a careless user.  Severity
varies depending on the user, the type of information and the number of
other users in the chat service that the user is logged into.
Frequently, this information can contain passwords, sensitive personal
information, or potential blackmail material that was meant for a
private chat channel or "room".

In the case of passwords or other types of authentication information,
the usefulness of such information generally diminishes fairly quickly
as the user immediately realizes that the information is compromised and
may move to change their authentication information.  In such cases, a
race-condition is introduced between the user changing the authentication
information and the attacker attempting to identify where the information
may be used to authenticate and using that information to gain access.


Affected Systems
================

All users currently logged into any chat system.


Technical Explanation
=====================

The currently selected (or active) window or application in a windowed
desktop environment is said to have "focus".  When a careless user
becomes distracted or disoriented, often due to blatant and gratuitous
intoxication, they may inadvertently leave focus on their chat
application while attempting to address an event caused by another
application, such as a password prompt, web form asking for personal
information, or even a conversation within another channel or "room"
in the chat service.  When these types of conditions occur, the
requested information that the user thought was being handled by the
application which generated the event is instead transmitted via the
still-focused chat application onto the chat network where it is
received by other, potentially malicious, users.  The sensitive
information is then generally followed by a "Oops! wrong window."
message of some form as the user tries to play off their obvious
incompetence as just a harmless accident.


Solution & Recommendations
==========================

Pay attention to what you are doing when logged into chat services.


Exploitation
============

Log into any affected chat service.  Join a channel, or "room", with
a large number of participants.  Wait for someone to send a message
like "Oops! wrong window." or a similar variant, then note the
preceding few messages from that user which may contain sensitive
information.


Credits & Gr33ts
================

The rest of the CAU crew, EFNet #C, NMRC, dc214, Octavius, Professor
Julius Sumner Miller, NWH, the April Fool, and everyone who's ever
typed "Oops! wrong window."


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050401/50a01f18/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ